UK government to tap white hat hackers in security probe

Some seven months after Britain's Revenue and Customs department lost data …

Seven months ago, England was rocked by the revelation that Her Majesty's Revenue and Customs (HMRC) department had lost two CDs containing the personal information of some 25 million families. The embarrassing incident spawned several government probes and a thorough investigation into the UK's data retention and security policies. As part of that initiative, Cabinet Secretary Gus O'Donnell announced yesterday that UK's civil service system would be attacked by white hat hackers employed by the government. Such attacks will test the new security methods that have been adopted in the wake of the HMRC's data loss disaster, and will hopefully discover any weak points in the new system.

The O'Donnell report (PDF, via The Register) acknowledges the difficulty of maintaining individual privacy while gathering the data the government claims to require in order to provide the services its citizens desire. Achieving this goal, O'Donnell argues, requires more than tightening security, it necessitates the adoption of a new organizational culture that places high emphasis on data security. In order to drive that need home, organizations and ministries must hold individuals and departments more accountable for their actions, define a baseline of common procedures and practices that all departments adhere to, and scrutinize the efficacy of its own data security more thoroughly than was done in the past.

The aforementioned "white hat" hacker attack is one program O'Donnell hopes will boost the willingness of UK citizens to trust the government with their personal data. "The risk we must counter is that citizens and business lose trust in the Government to handle their data effectively," the report reads. "It would be foolish not to acknowledge that the lapses in data security have affected this confidence."

Indeed, the UK's data security policies (or lack thereof) have taken a beating on multiple fronts. A second, recently released security report by business consultant Keiran Poynter blamed the HMRC's security breach on an overall culture of insecurity rather than the specific actions of any one person, and a third investigation into how top-secret intelligence documents were left on a Surrey train earlier this year is also underway. Hopefully the end result of these inquiries will be a government that takes data retention more seriously—data theft is a big enough problem as it is.